WHOIS Comments

["Dominik Filipp" <dominik.filipp@xxxxxxxx>]

Hello,

the following lines represent my opinion and my ideas over the Whois
issue addressed in the Preliminary Task Fort Report on Whois Services
('Preliminary Report') document. I've also tried to reflect some
valuable ideas that came forth during the long-term discussion over this
topic on the GA forum.

* * *

(1) Define the purpose of the WHOIS service in the context of ICANN's
mission and relevant core values, international and national laws
protecting privacy of natural persons, international and national laws
that relate specifically to the WHOIS service, and the changing nature
of Registered Name Holders.

>> The Whois service allows to access identity data related to the
technical information of registered domain name as well as domain name
Holder's identity having legal right to use the domain name during the
predefined period, provided all necessary legal requirements are met and
demanded fees payed. In summary, the Whois service allows

- access to the Holder identity data to the public to a certain degree
  explicitly specified for this purpose;
- disclosure of all identity data in case of law enforcement or other
  allowable legal proceedings;

* * *

(2) Define the purpose of the Registered Name Holder, technical, and
administrative contacts, in the context of the purpose of WHOIS, and the
purpose for which the data was collected.

>> The purpose of the contacts is sufficiently defined in the
Preliminary Report and I also support replacing the existing technical
and administrative contacts with the newly introduced OPoC contact.
There could be just two contact points, Holder contact and OPoC contact
with the purpose defined in the Report.
However, there should be just one OPoC contact (not multiple OPoC
contacts) accessible, as the meaning of multiple contacts would be even
more confusing than the current structure of more or less clear Admin
and Technical contacts. To improve registrar or legal dispute
accessibility via one OPoC contact, there could rather be more email
addresses and phone numbers specified in the OPoC, out of which only the
first (or 'leading') entry would be published.

* * *

(3) Determine what data collected should be available for public access
in the context of the purpose of WHOIS.

>> Basically, we can view the Whois record as a record consisting of two
sub-records

1. Domain Technical Sub-Record - containing domain-specific technical
data such as domain name, sponzoring registrar, name servers, etc. All
data in this sub-record can be published without restrictions. Also the
data structure of this sub-record can remain intact.

2. Domain Holder Sub-Record - containing mainly Holder's
(personal/contact) identity data, majority of which can be considered
sensitive requiring different treatment when accessed. It is this
sub-record that is subject to highly disputed access restrictions.

As far as I've noticed, there is no common agreement upon what data
should be published and to which degree. The problem is even the term
'available for public access' itself, which can have at least two
legitimate meanings

Public Access Types
-------------------
a) 'direct access', when anybody can see the identity directly without
   restrictions (web page);
   This access is vulnerable to data mining, automated identity
harvesting, etc.

b) 'on-request' confirmed access, when anybody can send a request (to
registrar,
   or thick registry) and receive the response upon additional
confirmation
   mechanism (image control-code, email confirmation);
   This access is generally considered much less vulnerable to automated
data
   harvesting, depending on degree of confirmation mechanism used.

Both accesses constitue 'public availability' as there are no
restrictions on who the data can be delivered to.

When discussing the public data availability several contradictory
viewpoints are apparent

a) Registrants tend to hide their identity data calling for keeping
individual and/or collective privacy right for variety of legitimate
reasons (personal safety, security, anti-spam protection, persecution,
abuse).

b) Suspected entities (spammers/scammers/speculators) call for the same
to hide their identity.

c) Companies harmed by copyright infringement or by other parties using
similar confusing domain name in bad faith call for disclosing as much
data as possible (the Red-Cross case, and many others).

d) Standard users want to access the data too in order to verify the
reliability of company before being charged via credit card, or before
initiating any sensitive negotiation/deal with the company.

e) Different national laws may impose different data privacy law
requirements (the Dutch versus the French models); and some others

Although, the prevailing tendency infered from the above mentioned
points is to enforce data disclosure, the registrants deserve more Whois
privacy than the Report proposes. The registrants, at least individual
persons, could have an option to fully hide his or her identity much
like it's common in phone directories not publishing hidden phone
numbers. That is, the Holder part would just contain an Holder ID, and
only the OPoC contact would be available. Applying the same approach for
non-commercial organizations and, especially, for commercial companies
is, for me, subject to further consideration.
Therefore, a further discussion over such a 'telecommunication model'
would be worthy.

At minimum, the Holder should be allowed to hide direct access to the
data (name, state, and country only) and be allowed the 'on-request'
public access (see Public Access Types above, point b) for making the
automatic data scanning impossible. The similar access type could also
be applied to selected OPoC data entries, such as email address or phone
number, provided a suitable data granulation for that purpose is
considered. Some other my ideas on the topic are descibed in my previous
mail sent on the whois-comments forum
http://forum.icann.org/lists/whois-comments/msg00058.html.

In certain circumstances (women's shelters, persecuted persons),
registrants would apply for identity-privacy status at some reliable
companies (but not in terms of the "Special Circumstances" process as
described in the Proposal) having a longer term experience and gaining
natural credibility. This could be an existing non-profitable
organization (maybe, such as 'truste.org'?). Such a private identity
could only be disclosed upon legal law enforcement requests.

"Special Circumstances"

In my opinion, establishing a new third-party company for dealing with
"Special Circumstances" as described in the proposal is not constructive
as this might bring all known side effects such as corruptibility, no
competition, high prices, poor services, etc. Instead, ICANN should
carefully review the existing companies and/or the organizations in this
area and try negotiating with most eligible ones. A possible agreement
should be subject to tendering, renewal and public commenting before the
renewal.

* * *

(4) Determine how to improve the process for notifying a registrar of
inaccurate WHOIS data, and the process for investigating and correcting
inaccurate data.

>> In my opinion, ensuring and verifying the accuracy of contact data is
hardly achievable on general basis. Neverheless, it could at least be
achieved in some countries and for some types of Holders (commercial
companies in countries where the company registry is publicly
accessible, and perhaps, also for non-commercial organizations).
In addition to an UDRP-like mechanism and law enforcement preceedings,
there could also be a public place on the Internet ('Point of
Indication') where individual users could sent suspected links,
allegedly non-compliant with the whois accuracy requirements. However,
there should then be an enity responsible for dealing with such input.

* * *

(5) Determine how to resolve differences between a Registered Name
Holder's, gTLD Registrar's, or gTLD Registry's obligation to abide by
all applicable laws and governmental regulations that relate to the
WHOIS service, as well as the obligation to abide by the terms of the
agreements with ICANN that relate to the WHOIS service.
>> [This task refers to the current work in the WHOIS task force called
'Recommendation 2', A Procedure for conflicts, when there are conflicts
between a registrar's of registry's legal obligations under local
privacy laws and their contractual obligations to ICANN.]

* * *

Strange Point in the Proposal
-----------------------------
On page 26 in the Proposal there is a paragraph

"(5) In lieu of having data corrected or revealed, registrant shall have
the option of
allowing the domain name to lapse. Where the registrant requests the
"lapse"
option, the domain name shall be stopped from resolving and registrant's
identifying information shall not be turned over to the requesting
party.
Registrant may request suspension pending resolution of the dispute in a
"John
Doe" (anonymous) proceeding, or cancellation (where registrant does not
respond or challenge the request). In either case, registrant's
information shall
not be turned over [unless that is specifically ordered in a judicial
proceeding]."

If I understand this well this could lead to an identity investigation
abuse and the whole point should be eliminated from the upcoming
proposal refinement.

Finally, it seems that the public commenting period on this issue is too
short and should fluently continue. Perhaps, on an improved Report
prepared meanwhile.

Dominik Filipp, a member of the GA list forum